Fine-Grained Censorship Mapping

. . . . . .

Introduction Information Sources Legality and Ethics Early Results Questions

Fine-Grained Censorship Mapping -Information Sources, Legality and Ethics

Joss [email protected]

Oxford Internet InstituteUniversity of Oxford

Joss Wright Fine-Grained Censorship Mapping - Information Sources, Legality and Ethics: 1/32

. . . . . .


1 Introduction2 Information Sources3 Legality and Ethics4 Early Results5 Questions


. . . . . .


CensorshipAlmost every country engages in someform of Internet filtering.China’s “Golden Shield” is the classicexample.

Saudi Arabia presents perhaps themost extreme filtering regime.(OpenNet Initiative)

Many different technologies; manydifferent filtering targets; many differentrationales and justifications.


. . . . . .


Censorship TechnologiesWe can classify filtering according totheir focus:

DNS PoisoningIP Header Filtering (address orprotocol)IP Content Filtering (keyword orprotocol)Proxy Filtering

We can consider takedown, socialpressure, legislation as filtering, but willfocus on technology.


. . . . . .


LimitationsA tradeoff between subtlety andcomputational requirements.

Sophisticated methods require greatercomputational resources.At national scale, these can be severe.

Centralization can cause problems, asseen with CleanFeed.

Central management also raisesadministrative and organizationalburdens.


. . . . . .


Localized FilteringWe can observe localized filtering inresponse to local events.We therefore see filtering differ across astate, rather than homogeneity.

We also expect filtering to vary overtime.We may expect organizations to haveone filtering regime, even across astate.

This can reveal filtering tactics, methods,reasoning, limitations.


. . . . . .


Existing WorkHERDICT: crowdsources filteringinformation from volunteer web users.

OpenNet Initiative: use volunteers anddirect means to examine filtering aroundthe world.

Both consider national-level filtering ashomogeneous.Both also make judgements as to thenature of filtering.

Political, religious, social


. . . . . .


Existing ApproachesHERDICT relies on users for information.

Visitors to the website report sites thatappear blocked.

The website actively presents potentiallyblocked content, allowing users to verifyif it is blocked.

OpenNet Initiative’s methods vary, butinclude direct investigation and liasonwith volunteers in blocked regions.


. . . . . .


Fine-Grained SourcesFor fine-grained mapping we wish tocombine data gathered at variouslocations with GeoIP data at the citylevel.

GeoIP databases are increasingly cheapand accurate.

The problem is to get readings from awide geographical distribution.

Ideally, not just blocking status but type ofblocking.


. . . . . .


LimitationsCrowdsourcing or usingvolunteers can be effectiveif the tool is sufficientlyusable, but is limited:

Undirected, inconsistentcoverage.

Direct investigation isexpensive.

Ideally we desire directaccess to filtered internetconnections.


. . . . . .


Direct ActionDirect access to other connections ispossible in some limited cases.

Tor exit nodes, and similar servicessuch as psiphon.VPN services or remote shells.Creatively-used public services –webservers, IRC, bittorrent...

Access to DNS is very simple, anddirectly addresses one major type offiltering.


. . . . . .


Direct Action ProblemsDirect services are rare, especially incountries with interesting filteringregimes.

No-one wants to run Tor-like servicesin filtered areas!

VPN services are also rare. Remoteshells are even more so.

These services are typically offered toget past filtering, not get in.

Creative misuse of open services seemsthe most fruitful option.


. . . . . .


Direct Action MechanismsDNS is simple and effective fordetecting DNS filtering, but is notvery useful beyond that.

Tor and Tor-like services are rare,but wonderful.

BitTorrent seems a likelycandidate, and we have beeninvestigating it, but consent is aserious issue.

If only we could... botnets.


. . . . . .


Legality and EthicsIs it legal to access blockedwebsites?Is it ethical to ask someone else toaccess blocked websites?

Consent for automated tools.

Is it legal to creatively abuse aservice, with or without maliciousintent?

Is it ethical to open a serviceoperator to repercussionsbased around such misuse?


. . . . . .


Legal Concerns

HERDICT Legal FAQ: ”Rules vary bycountry, but we know of no nation where itis illegal for you to report information aboutsites you cannot access.”


. . . . . .


Legal ConcernsSites are sometimes blocked for seriouslegal or societal reasons:

Pornography, homosexuality, lèsemajesté, insult to religion

Reporting sites as blocked may well belegal, but detection attempts may causelegal or social consequences.

When is the risk too small, and how canwe judge this against arbitrary culturalcontexts?


. . . . . .


Current WorkRetrieved a list of 278 DNS serversacross China from the APNIC WHOISdatabase.

Selected the top 80 reported blockedwebsites according to HERDICT.

Performed a DNS query for each site toeach server.

We have code to scan China for DNSservers, but have not deemed itnecessary at this point.


. . . . . .


Early Observations

Initial observations:

Many blocked sites are listed asnon-existent in the majority of DNSservers tested.

Several servers return no result for mostblocked sites, but occasionally redirectrequests to other DNS servers beforedoing so.


. . . . . .


Early ObservationsDNS poisoning is rife:

wujie.net 161 servers returned aresponse to wujie.net directed toonly 9 separate IPs – none of whichoffer services, and are unrelated towujie.net.

Many blocked sites do get genuine DNSresponses.

In many cases we simply get no result, ora timeout.


Next slide: map of China showing cities for which we have data.

. . . . . .

BaotouBeijing

Changchun

Changsha

Chaoyang

Chengdu

Chongqing

Dongguan

Fuzhou

Guangzhou

Guiyang

Harbin

Hebei

Hefei

Jinan

Nanjing

Nanning

Ningbo

Qingdao

Shanghai

Shenyang

Shenzhen

Tianjin

Wuhan

Xiamen

Xian

Xining

Zhengzhou

Zhongshan

Heyuan

. . . . . .

Next slide: zoomed map of China showing cities for which we havedata.

. . . . . .

Baotou

Beijing

Changchun

Changsha

Chaoyang

Chengdu

Chongqing

Dongguan

Fuzhou

Guangzhou

Guiyang

Harbin

Hebei

Hefei

Jinan

Nanjing

Nanning

Ningbo

Qingdao

Shanghai

Shenyang

Shenzhen

Tianjin

Wuhan

Xiamen

Xian

Xining

Zhengzhou

Zhongshan

Heyuan

. . . . . .

Next slide: Relative likelihood that the DNS server will return ‘noresult’ when asked for a censored website. Larger and redder dots aremore likely not to return a result.Note that if a result is given, it is not necessarily correct. (See nextmap.)

. . . . . .

BaotouBaotou

BeijingBeijing

ChangchunChangchun

ChangshaChangsha

ChaoyangChaoyang

ChengduChengdu

ChongqingChongqing

DongguanDongguan

FuzhouFuzhou

GuangzhouGuangzhou

GuiyangGuiyang

HarbinHarbin

HebeiHebei

HefeiHefei

JinanJinan

NanjingNanjing

NanningNanning

NingboNingbo

QingdaoQingdao

ShanghaiShanghai

ShenyangShenyang

ShenzhenShenzhen

TianjinTianjin

WuhanWuhan

XiamenXiamen

XianXian

XiningXining

ZhengzhouZhengzhou

ZhongshanZhongshan

HeyuanHeyuan

. . . . . .

Next slide: Relative likelihood that, if a DNS result is returned for agiven site, that it is a ‘lie’. Specifically, that the returned IP address doesnot point to the requested domain or a related domain. Typically, thesefalse results point to a small number of IP addresses in Beijing.

. . . . . .

BaotouBaotou

BeijingBeijing

ChangchunChangchun

ChangshaChangsha

ChaoyangChaoyang

ChengduChengdu

ChongqingChongqing

DongguanDongguan

FuzhouFuzhou

GuangzhouGuangzhou

GuiyangGuiyang

HarbinHarbin

HebeiHebei

HefeiHefei

JinanJinan

NanjingNanjing

NanningNanning

NingboNingbo

QingdaoQingdao

ShanghaiShanghai

ShenyangShenyang

ShenzhenShenzhen

TianjinTianjin

WuhanWuhan

XiamenXiamen

XianXian

XiningXining

ZhengzhouZhengzhou

ZhongshanZhongshan

HeyuanHeyuan

. . . . . .

. . . . . .


Results of VisualizationWe can clearly verify that filtering isheterogeneous across China.Some cities show little DNS filtering,some return no results, some returnpoisoned results, some do both!

Chengdu, Shenzhen, Shanghai arenotable “tech” cities, and have littlefiltering.Beijing is, perhaps surprisingly, relativelypermissive.


. . . . . .


CaveatsRestricted list of DNS servers. I can getmore, but will have to portscan Chinafor them.

DNS server in a city does not representwhere the users originate.These maps do not show how manyDNS servers were in each city, or giveany distinction between them.

78 DNS servers in Beijing, only 1 inXiamen.


. . . . . .


QuestionsWhat are the legal and, importantly,ethical limits to what we can do in thisarea?What good services exist from which to“bounce” connections?

Specifically, public services rather thanindividual services.

Can we intelligently split onorganizational as well as geographicallines.


. . . . . .


Questions

How can we best represent thisinformation?

What will we learn when we repeatexperiments over time looking forpatterns?

What questions would anyone like toask?


. . . . . .


The End


Fine-Grained Censorship Mapping

Technology

Transcript of Fine-Grained Censorship Mapping